b'    DEPARTMENT OF HOMELAND SECURITY\n        Office of Inspector General\n\n\n        National Emergency Management \n\n       Information System (NEMIS) Access \n\n                 Control System \n\n\n                 Public Summary\n\n\n\n\n\n              Office of Audits\nOIG-04-02                   December 2003\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 20528\n\n\n\n\n                                  Office of Audits\n National Emergency Management Information System (NEMIS) Access Control System\n                                    OIG-04-02\n\nThe NEMIS is the system the Federal Emergency Management Agency (FEMA), and now\nEmergency Preparedness and Response (EP&R), uses to manage its disaster response and\nrecovery programs and to authorize millions of dollars in payments related to disaster response\nand recovery activities. The NEMIS Access Control System (NACS) facilitates the management\nof NEMIS user access rights and is the primary security control for NEMIS data and functions.\nFEMA\xe2\x80\x99s Information Technology Service Directorate (ITSD) manages NEMIS and NACS.\n\nThe purpose of this audit, performed under contract by KPMG LLP, was to determine whether\nFEMA had developed and maintained NACS in a controlled manner and in accordance with\nrelevant federal guidance. To accomplish this, the audit included reviews of certain NEMIS\ncontrols that directly affected NACS. Although NACS provides a reasonable mechanism for\ncontrolling access to NEMIS, both NACS and NEMIS controls could be improved. Specifically,\nNACS control weaknesses existed in the areas of separation of duties, access controls, audit\ntrails, and training. NEMIS control weaknesses that directly affected NACS related to the need\nfor a designated and accountable system owner, security planning, system certification and\naccreditation, contingency planning, and change management controls. Collectively, these\nweaknesses reduced FEMA\xe2\x80\x99s ability to ensure the confidentiality, availability, and integrity of\nNEMIS data.\n\nThe OIG made 16 recommendations regarding NACS-specific control issues and NEMIS control\nissues that directly affect NACS. ITSD agreed with the report findings and recommendations,\nand agreed to prepare, coordinate, and implement a corrective action plan.\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector General/MAIL STOP 2600, Attention:\n           Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'